Let’s Take a Look at Phishing Attacks
Phishing attacks are growing in number and it presents a major challenge for businesses. The many different forms that these attacks come in only exacerbates the problem. Today, we will take a brief look at phishing attacks to help you educate your staff on what they entail and how to mitigate the risk that comes with them.
Phishing Attacks
A phishing attack comes in as communication from a trustworthy source so as to fool the recipient into interacting with it. This could be in the form of an email, a text message, a phone call, or any other form of direct communication. The goal is to manipulate the recipient into providing access credentials to network-attached resources so they can steal data or deploy malware.
Since phishing can come in several different forms, it is an effective way to breach your network defenses. Because the scammers are given access, they don’t have to try and outright breach your network defenses, which in many cases are extremely hard to hack into. Let’s take a look at some of the ways these scams are disseminated.
Business Email Compromise
In a business email compromise scam, the scammer will send an employee an email that, at first glance, comes from an authority figure inside of the business. The messagewill be quite vague, but direct the recipient into taking some type of action that will allow the hacker to gain access to resources. Many employees will not think twice when their manager tells them to complete a task, so phishing attacks of this type are successful because people don’t take the time to ascertain that the message isn’t actually from anyone.
Hackers use this method because they work. In Q2 of 2020, successful business email compromise scams averaged $80,193. To avoid being scammed, employees should always question emails, even if they come from seemingly legitimate sources. When in doubt, a phone call to the sender is an easy way to verify an emails’
Clone Phishing
One of the most successful phishing scams is using a clone of a message a recipient would have seen before. By gaining access to data beforehand, the hacker can customize a message that looks like one they have received previously. Typically, this type of familiarity removes any suspicion that the message is actually from a scammer. The links are altered to reroute to a site where scammers collect more information. Pretty crafty way to steal credentials.
Smishing
Email may be the predominant way that phishing is pushed to people, but it isn’t the only way. Smishing attacks are carried out through text (SMS) messaging. Most people are much less careful about opening and interacting with text messages than they are with their email, and as a, result scammers have started pushing phishing messages that look like legitimate messages through SMS. If you also consider that mobile devices often don’t uphold the same security standards that PCs do, users are more vulnerable through an SMS attack. “Think before you click.”
Spear Phishing
The spear phishing attack is probably the most dangerous of the phishing scams. First of all it is deliberately designed for a single user. The hacker, in this case, has already done their due diligence and chosen their target based on information they already have about the target. Since these attacks take more time to properly execute, spear phishing is typically carried out against high-value targets. The success rate of these attacks are significantly higher than your average, run-of-the-mill phishing attack. Executives and upper management often tell us that they don’t need security awareness training (it’s only necessary for the rest of the company). In actuality, execs needs this training the most, specifically due to spearphishing.
Vishing
Another take on phishing, vishing is just phishing over the phone. A scammer will call a target under the guise of a salesperson, finance professional, or PC repair service desk. Because of their perceived legitimacy, the scammer can typically extract information that will help them gain access to computing resources, or at the very least, the target’s personal or financial information.
Whaling
Whaling is a phishing attack, typically a spear phishing attack, aimed at business owners, decision makers, and executives. These attacks, because they are aimed at people who have access to (seemingly) everything in a company (call it ‘the keys to the castle’) , often are well planned. If successful, they often result in the biggest bounty for the perpetrator.
Phishing is a Serious Threat
You need to have a strategy in place to combat phishing as it is not going anywhere, anytime soon. If you would like to talk to our team about developing a plan to provide security awareness training give us a call at 216 397-4080. We’ll bring you up to speed on the current threat vector, what those threats look like, and how to avoid them.